[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (sep
From: |
Stefan Monnier |
Subject: |
[elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (separate vmaps initially) |
Date: |
Mon, 23 May 2022 09:27:22 -0400 (EDT) |
branch: externals/nftables-mode
commit b2991ce112d5bc13f3f61bcb9db77176c80c36da
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
Notes from RFC4890 (separate vmaps initially)
---
nftables-host.nft | 46 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 44 insertions(+), 2 deletions(-)
diff --git a/nftables-host.nft b/nftables-host.nft
index 5ff348a36d..184e3c4465 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -62,6 +62,12 @@
####
#### NOTE: "table x" is implicitly "table ip x", which is IPv4 only.
#### If you want dual-stack, say "table inet x".
+####
+#### NOTE: If you blanket allow ICMPv6, YOU ARE TOTALLY INSECURE!
+#### If you blanket deny ICMPv6, YOU BROKE THE INTERNET!
+#### Ref. https://www.ietf.org/rfc/rfc4890.txt
+#### Ref.
https://raw.githubusercontent.com/intel/intel-iot-refkit/master/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template
+
# FIXME: add ICMPv6 then change "table ip" to "table inet" (i.e. dual-stack).
# FIXME: rate-limit ICMPv4 by source IP?
@@ -72,7 +78,6 @@ table inet my_filter {
chain my_input {
type filter hook input priority filter
policy drop
-
# Typically 95%+ of packets are part of an already-established flow.
# Allow those first, so we're a fast, stateful firewall.
# The rest SHOULD be "ct state new" (or untracked).
@@ -84,8 +89,45 @@ table inet my_filter {
iif lo accept
# Allow arbitrary IPv4/ICMP and IPv6/ICMPv6.
# FIXME: this is too broad -- narrow this!
+ # Ref. https://www.ietf.org/rfc/rfc4890.txt
+ # Ref.
https://raw.githubusercontent.com/intel/intel-iot-refkit/master/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template
ip protocol icmp accept
- ip6 nexthdr icmpv6 accept
+# ip6 nexthdr icmpv6 accept comment "blanket allow ICMPv6 ---
insecure!"
+
+
+ # FOR THE FORWARD CHAIN (RFC 4890 4.3)
+ icmpv6 type vmap {
+ 1 - 4 : accept, # RFC 4890 4.3.1 essential errors
+ 128 - 129 : accept, # RFC 4890 4.3.1 Echo (ping)
+ 144 - 147 : accept, # RFC 4890 4.3.2 Mobile IPv6
+ 150 : drop, # RFC 4890 4.3.4 Seamoby
+ 5 - 99 : drop, # RFC 4890 4.3.4 unallocated error messages
+ 102 - 126 : drop, # RFC 4890 4.3.4 unallocated error messages
+ 154 - 199 : drop, # RFC 4890 4.3.4 unallocated informational
messages
+ 202 - 254 : drop, # RFC 4890 4.3.4 unallocated informational
messages
+ 139 - 140 : drop, # RFC 4890 4.3.5 node information
+ 138 : drop, # RFC 4890 4.3.5 route renumbering
+ 100 - 101 : drop, # RFC 4890 4.3.5 experimental allocations
+ 200 - 201 : drop, # RFC 4890 4.3.5 experimental allocations
+ 127 : drop, # RFC 4890 4.3.5 extension type numbers
+ 255 : drop, # RFC 4890 4.3.5 extension type numbers
+ }
+
+ # FOR THE INPUT CHAIN (RFC 4890 4.4)
+ icmpv6 type vmap {
+ 1 - 4 : accept, # RFC 4890 4.4.1 essential errors
+ 128 - 129 : accept, # RFC 4890 4.4.1 Echo (ping)
+ 133 - 136 : accept, # RFC 4890 4.4.1 (replaces ARP and DHCPv4)
+ 141 - 142 : accept, # RFC 4890 4.4.1 (replaces ARP and DHCPv4)
+ 130 - 132 : accept, # RFC 4890 4.4.1 LLMNR
+ 143 : accept, # RFC 4890 4.4.1 LLMNR
+ 148 - 149 : accept, # RFC 4890 4.4.1 SEND
+ 151 - 153 : accept, # RFC 4890 4.4.1 Multicast Router
+ 137 : drop, # RFC 4890 4.4.4 Redirect
+ 139 - 140 : drop, # RFC 4890 4.4.4 Node Information
+ }
+
+
# YOUR RULES HERE.
# NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
- [elpa] branch externals/nftables-mode created (now 05600129ee), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 103844fb41 07/41: move the ICMPv6 policy to a separate named map, so it's out of the way, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8b6ccea869 18/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e71d87a8c 23/41: Chuck out the stateless vmap example from the "simple version" firewall, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode bf11cb5fec 06/41: merge the RFC4890 input and forward vmaps into a single common vmap, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 78a1a48898 04/41: cannot reject as default policy, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7350707c88 12/41: forked from nftables-host.nft, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b466c545f5 14/41: Example NAT rules (load OK, but haven't actually tested packets going through them), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode b2991ce112 05/41: Notes from RFC4890 (separate vmaps initially),
Stefan Monnier <=
- [elpa] externals/nftables-mode f354d71598 13/41: break prologue (nee PRELUDE) out of input, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 35e908d774 03/41: just a backup copy in case I lose the original somewhere, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 14856f12c1 20/41: more notes, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6fbf0a5557 01/41: Update iptab imports from twb's personal git repo., Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 4974259919 30/41: typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e9c8cf907 32/41: fixup! typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70910dbc2a 35/41: Merge remote-tracking branch 'KB/master', Stefan Monnier, 2022/05/23